[14223] in bugtraq
Re: PGP Signatures security BUG!
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Mar 9 02:43:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000308181045.24C5C41F16@SIGABA.research.att.com>
Date: Wed, 8 Mar 2000 13:10:39 -0500
Reply-To: smb@RESEARCH.ATT.COM
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: "Povl H. Pedersen" <pope@netguide.dk>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <p04310108b4eabe46523c@[130.227.158.132]>, "Povl H. Pedersen" writes
:
>
> It will take a long time to generate a new key with a specific
> fingerprint, but nonetheless, this 'overwriting' and hiding of other
> users IDs in the public PGP servers is bad.
Minor nit -- there's a big difference between a "fingerprint" -- which is the
result of a cryptographic hash on the key, and should *never* collide (and if
it does, you can get lots of attention by showing that the hash function isn't
strong enough) -- and a "key id", which is much shorter.
--Steve Bellovin
